NPM is probably the worst part. It solves the easy problem using brute force and 20 copies of the same library, but punts on actual packaging. Joyent's advice is "don't use NPM to deploy -- use tarballs." What kind of package manager requires you not to use it for deployment??
I really think NPM is a solution for immaturity on the node libraries. Think about the attack surface when you have 20 different versions of the same library scattered throughout your application.
Not having to understand your library dependencies means you don't understand all of the security bugs from old versions of libraries. You should understand your library dependencies. Forgetting about them doesn't make those relationships go away.
NPM is probably the worst part. It solves the easy problem using brute force and 20 copies of the same library, but punts on actual packaging. Joyent's advice is "don't use NPM to deploy -- use tarballs." What kind of package manager requires you not to use it for deployment??
I really think NPM is a solution for immaturity on the node libraries. Think about the attack surface when you have 20 different versions of the same library scattered throughout your application.
Not having to understand your library dependencies means you don't understand all of the security bugs from old versions of libraries. You should understand your library dependencies. Forgetting about them doesn't make those relationships go away.